TTL issue for pam_password with v2.0.0 about python-irodsclient HOT 15 CLOSED

you're sure it was being treated as 'hours' in 1.1.9? that seems... surprising.

https://github.com/irods/irods/blob/main/plugins/database/src/db_plugin.cpp#L7102

The number passed over the wire is multiplied by 3600, so it always has been hours. So this is the regression for the python client: by default v1 attempted to generate a native password with validity of 60 hours, and v2 takes the shorter 121 seconds from server side.

from python-irodsclient.

What version of the PRC are you using?
What version of iRODS are you experiencing this against?

from python-irodsclient.

What version of the PRC are you using?

>>> import irods
>>> irods.__version__
'2.0.0'

What version of iRODS are you experiencing this against?

>>> session.server_version
(4, 3, 1)

from python-irodsclient.

Oh right, the PRC version is in the title.

Anyway, have you adjusted your PAM TTL settings according to the following section?

• https://docs.irods.org/4.3.1/system_overview/configuration/#authentication-configuration

If yes, can you share what you have for each option?

from python-irodsclient.

these are:

[irods@gbiomed ~]$ iadmin get_grid_configuration authentication password_max_time
1209600
[irods@gbiomed ~]$ iadmin get_grid_configuration authentication password_min_time
121
[irods@gbiomed ~]$ iadmin get_grid_configuration authentication password_extend_lifetime
1

from python-irodsclient.

The real issue here is that in the v1 client the default password lifetime is 60 hours
https://github.com/irods/python-irodsclient/blob/v1.1.9/irods/connection.py#L440
(although the naming of that variable is confusing).

In v2 the default is that the server should decide on the lifetime

from python-irodsclient.

Everything is more configurable with 'seconds', so that was the new standard - so I think that part is expected/desired.

from python-irodsclient.

you're sure it was being treated as 'hours' in 1.1.9? that seems... surprising.

from python-irodsclient.

One thing that sticks out is the message at the end of stacktrace(?).

RuntimeError: Time To Live has expired for the PAM password, and no new password is given in legacy_auth.pam.password_for_auto_renew.  Please run iinit.

That is generated here:

Seems you may want to review this section. There are several PAM related option described there and they are referenced in the code leading to that exception.

• https://github.com/irods/python-irodsclient/tree/v2.0.0?tab=readme-ov-file#python-irods-client-settings-file

from python-irodsclient.

See the following for the full function impl. Notice the lines starting from line 470.

from python-irodsclient.

Actually correct code snippet is

https://github.com/irods/irods/blob/main/plugins/database/src/db_plugin.cpp#L7241-L7252

from python-irodsclient.

I think adding a settings file will allow you to make progress. The option you want to set in that file appears to be legacy_auth.pam.time_to_live_in_hours.

from python-irodsclient.

You may also need legacy_auth.pam.password_for_auto_renew.

from python-irodsclient.

Confused with this. Btw, we don't use the native authentication in our flow.

Note this line too, showing that eventually _login_pam routes through _login_native anyway, with a transformed value it receives from the server, as part of its own internal workings. Yes , it's been that way for a while! : )

from python-irodsclient.

I am closing this - because we decided to use the native scheme. And apparently we are touching on an issue that existed in older versions.

from python-irodsclient.